It’s no secret that many companies pursue growth through strategic acquisitions. Often, it’s seen as easier and strategically more sensible for organisations to buy ready-made solutions to plug any gaps they may have, rather than developing their own competitive product or service.
One only has to look at the M&A activity taking place in the tech sector 2018 to see how popular it is as a means of growing a business. In 2018, for example, IBM purchased Red Hat for $34 billion in the largest ever software acquisition, while Broadcom bought CA Technologies for $18.9 billion, and Microsoft spent $7.5 billion on acquiring GitHub.
In the UK, Sports Direct owner Mike Ashley has been on a one-man spending spree. The last 18 months has seen him has successfully acquire high street names including House of Fraser, Evans Cycles and Jack Wills, as well as making advances on Patisserie Valerie, LK Bennett, and Hamleys. And this level of activity is only set to continue, with EY reporting the strongest outlook for the M&A market it had ever seen.
But, while an investor might be satisfied that these acquisitions suitably enhance their existing portfolio, can they be sure they come with a fully-integrated and watertight security strategy, with no blind spots and vulnerable legacy systems? Acquisitions can often pose threats to an organisation’s network security. Like an old house that’s been built on and added to over the years, not everything is uniform. And when pieces don’t fit snugly together, cracks can begin to appear.
It’s vital, therefore, that purchasing companies can seal these cracks, and protect themselves from any threats that might arise from an acquisition – particularly when it comes to the data that moves through the business. In fact, a recent report found that 77 per cent of M&A experts recommended one acquisition target over another based on the strength of a cybersecurity programme – so learning how to plug any cybersecurity holes is paramount.
The need for visibility
To this end, the value of data cannot be underestimated – the new oil, as the cliché goes. The insight data offers into an organisation’s operations, its customers, its competitors, its supply chain, is truly invaluable. However, unlocking that value requires that data to be freely moved around. Whether it’s a customer’s account in a database or a service in the cloud that powers a company’s apps, data at rest will cost businesses money. The value only comes from data in motion – but you need to be able to see it in order to move it around.
It’s widely assumed that an organisation’s network administrators and IT security teams know and can see into every corner of their network. Unfortunately, this isn’t the case, and the bigger the organisation, the less visibility they will have. This lack of visibility makes it difficult for CTOs and CISOs to carry out the important function of protecting their digital estate, made up of known and unknown digital assets. And the only way to understand what these unknown assets are is to discover the network – how it’s comprised, what it looks like, and what’s traveling across it. Unfortunately, acquisitions only complicate matters.
Expanding attack surface
Whether hostile or complementary, each type of acquisition comes with its own challenges. An acquired company might be relatively small, or an acquisition could see the merging of two large companies. Either way, M&A activity is rarely good news for an organisation’s network security. For one thing, a small company’s security infrastructure is not likely to be as strong as that of a larger organisation, which will have greater financial resources.
On the other hand, there will be less visibility of a larger organisation’s network. In some cases, it’s possible that an acquisition could result in a combination of the two - a large organisation with poor security as well as little visibility into its network. Attackers will always look for the easiest pathway into an organisation’s network. Connecting into another company’s network to share data, or to share communications to tie two businesses together, will create another pathway and, in doing so, expand the potential attack surface.
What’s more, the CTO, the CISO, and their security team will have even less visibility than they did before. The more often this happens, and the bigger the organisation gets, the worse the problem becomes; attackers are essentially being given more to play with. Reducing the size of this attack surface needs greater visibility, and this requires pre-emptive action. It’s important to ensure that secure connectivity infrastructure is in place before the acquisition is even underway.
By employing a solution that not only enables them to discover the network, but also looks at every item of data flowing across it, a security team will enjoy full visibility of all the underlying network traffic. Effective security operations and, indeed, effective business before, during and after an acquisition requires a single pane of glass that shows all of an organisation’s data in motion – at scale.
As if the issue of visibility wasn’t enough, there’s also the sovereignty of data to consider. A multi-national organisation may have visibility of its data, but it may not be able to move it effectively. Localised legislation such as GDPR, which prevents personally identifiable information (PII) being moved around, must therefore be taken into consideration within the context of an M&A’s security operations. A company with a presence in Germany, for example, wouldn’t be able to move PII back to the UK or elsewhere overseas to be processed.
Protecting an organisation while adhering to sovereign laws requires a highly distributable operation, in which security operations are made partially or wholly sovereign in the regions within which they’re deployed.
Unlocking the value of data requires complete visibility of the movement of data within an organisation – and within any organisation it has acquired. It’s important to view this in context of the sovereignty of any data being collected, and the regulatory implications of moving it between the different countries within which an organisation operates.
Automated discovery is essential, too, in mapping out the known and unknown assets that make up an organisation’s digital estate. Only by knowing what data is flowing through a business, and where that data is at any point, is it possible to protect it. Ultimately, acquisitions make strategic sense for business growth, but they certainly bring their own unique threats. As acquisitions plug gaps in an organisation’s portfolio, so those organisations should plug the gaps that an acquisition can open up in their network security.
Martin Rudd, CTO, Telesoft Technologies